renderShrinkwrap fails with AccessOutsideProjectDenied

Hi all,

I’m troubleshooting a Foundry Code Repository CI issue and would appreciate guidance from anyone who has seen something similar.

We have a Python Transforms repository in Project A. The repo produces multiple output datasets, all of which are located inside Project A. Some transforms read input datasets from Projects B and C via Project References.

CI is currently failing only on:

:renderShrinkwrap

with:

Jemma:AccessOutsideProjectDenied
HTTP 403
Response-Code-Details=via_upstream
filePathToDatasetRids={}

The safe message is:

1 Cannot access one or more input/output datasets. The datasets are either not referenced in this project or are outside its boundaries.

All other CI tasks pass, including dependency rendering and transform spec rendering. The failure appears isolated to shrinkwrap rendering.

What we have already checked

We went through the usual Project Reference / project-boundary checklist:

  1. Outputs

    • Confirmed all output datasets are under the same Project as the code repository.
    • No transform is writing to an output dataset in another Project.
  2. External inputs

    • Enumerated all external input datasets referenced by the repo.
    • Confirmed they are already added as Project References.
    • Running the “add missing project imports” flow reports that all requested resources are already imported.
  3. Permissions

    • Checked the real build principal / project builder group, not just my user.
    • Confirmed that principal has roles on all external input datasets/projects.
    • Markings appear compatible; there are no additional markings beyond the org-level marking.
  4. Shrinkwrap

    • Inspected transforms-shrinkwrap.yml.
    • Found no obvious output outside the repo project.
    • Tried deleting/regenerating shrinkwrap in a branch, but the same AccessOutsideProjectDenied still occurs.
    • The error does not identify a specific RID; filePathToDatasetRids is empty.
  5. Code changes

    • Recent code changes only added dataset checks / derived columns and did not add new input or output datasets.
    • Reverting those changes did not clearly resolve the issue.

Additional symptom

We also saw intermittent Code Repository / Stemma behavior such as:

1

2

followed by a later attempt returning:

1

2

This made it hard to tell whether a revert actually landed on the remote branch. In some cases, the editor/API appeared to show a different working state than what CI was validating.

Questions

  1. Has anyone seen renderShrinkwrap fail with AccessOutsideProjectDenied while filePathToDatasetRids is empty?
  2. Is an empty filePathToDatasetRids a sign that the shrinkwrap rendering service failed before resolving resources, rather than a specific missing Project Reference?
  3. Besides deleting transforms-shrinkwrap.yml and regenerating, is there a recommended way to force a clean shrinkwrap rebuild?
  4. Is there a way to identify the exact offending input/output/source when renderShrinkwrap does not return a RID?
  5. Could intermittent Jgit:FailedToContactRemotes / stale branch state cause CI to validate an older commit or stale shrinkwrap?
  6. At what point should this be escalated to Palantir Support as a platform/service issue rather than a repository configuration issue?

Any debugging tips or known remediation steps would be appreciated. I can provide ErrorInstanceIDs privately to support, but omitted them here for public posting.